[keycloak-dev] bring back ability to disable direct grant
Stian Thorgersen
stian at redhat.com
Mon Jun 15 13:43:17 EDT 2015
recaptcha are not seen as secure, they just make it slightly harder. Brute-force protection and intrusion detection are still needed. IMO recaptcha's are a false sense of security and the only thing they do are bug the shit out of users.
Direct grant should definitively be enabled by default, but I don't have any objections to having an option to disable it.
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Monday, 15 June, 2015 4:11:36 PM
> Subject: [keycloak-dev] bring back ability to disable direct grant
>
> I was thinking about recaptcha support. The purpose of recaptcha is to
> make sure a bot is not trying to log into system. Really good for
> something like registration, but also very useful for regular logins for
> extra security. Recaptcha would elleviate the need for Brute Force
> Protector.
>
> This thing is though, if you still have direct grant, then putting in
> recaptcha at login is pointless as an attacker can just go through
> direct grant.
>
> Can we bring back the ability to disable direct grant?
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list